b'Office of Inspector General\nU.S. Department of Labor\nOffice of Audit\n\n\n\n               Limited Scope Audit\n              of Controls Over the\n              Office of Workforce\n                     Security\n              UI Weekly Claims Press\n\n\n\n\n                           Final Report Number: 03-00-011-03-315\n                           Date Issued:           SEP 28 2000\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n                                              TABLE OF CONTENTS\n\n\nACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nBACKGROUND, OBJECTIVES, AND SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6\n\nFINDINGS AND RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8\n\n1.    The Embargoed Data and the UI Weekly Claims Press Release Are\n      Processed and Produced in an Unsecured Office Environment . . . . . . . . . . . . . . . . . . . . . . . . . 8\n\n             Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8\n             Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n             Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n\n2.    There Are Security Vulnerabilities in the Procedures\n      for Delivering the UI Weekly Claims Press Release Package to\n      DOL Officials the Day Before the Official Release Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\n             Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n             Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n             Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n\n3.    A Library Management System Is Not Used to Track Multiple Versions\n      of Software Production Programs Used to Compile the Data . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n             Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n             Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n             Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n\n4.    There Is No Security Clearance Policy for Individuals\n      With Access to Embargoed Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14\n\n             Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\n\nU.S. Department of Labor - Office of Inspector General                                                                             Page i\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n           Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n           Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\n5.   Situations Can Occur Where One Person Controls the Entire\n     UI Weekly Claims Press Release Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n\n           Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n           Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n           Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17\n\n6.   There Are No Formal Procedures for Responding\n     to Security Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n\n           Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n           Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n           Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n\n7.   The ETA LAN Server Administered by OTIS Does Not Have the Security\n     Needed to Store the Embargoed UI Weekly Claims Press Release\n     and Supporting Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n\n           Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20\n           Agency\xe2\x80\x99s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20\n           Auditor\xe2\x80\x99s Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21\n\nAGENCY\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                                                          Page ii\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n                                      ACRONYMS\n\n\n              DDSS          Division of Data Systems Support\n\n              DLMS          Department of Labor Manual Series\n\n              DOL           U.S. Department of Labor\n\n              DRR           Division of Research and Reporting\n\n              ETA           Employment and Training Administration\n\n              FISCAM        Federal Information System Controls Audit Manual\n\n              GAO           General Accounting Office\n\n              LAN           local area network\n\n              NACI National Agency Check and Inquiries\n\n              OFMA          Office of Financial Management Audits\n\n              OIG           Office of Inspector General\n\n              OIPA          Office Information and Public Affairs\n\n              OTIS          Office of Technology and Information Services\n\n              OWS           Office of Workforce Security\n\n              NIST          National Institute of Standards and Technology\n\n              SQL           structured query language\n\n              UI            Unemployment Insurance\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                         Page iii\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n                                   EXECUTIVE SUMMARY\n\nBackground\n\nThe Unemployment Insurance (UI) Weekly Claims Press Release is issued by the\nU.S. Department of Labor (DOL) every Thursday morning at 8:30 a.m. The UI Weekly Claims Press\nRelease contains the National total of initial claims for UI and is one of the leading economic indicators\nthat may affect the financial and monetary markets. Thus, the data in the press release are sensitive and\nembargoed from the time it is first compiled on Tuesday afternoon until the official release time on\nThursday morning. As a result, there is a need to protect the data and the UI Weekly Claims Press\nRelease from unauthorized use and release while it is in embargoed status.\n\nStates report initial UI claims (the data) to the DOL, Employment and Training Administration (ETA).\nWithin ETA, the Office of Workforce Security (OWS), Division of Research and Reporting (DRR) is\nresponsible for collecting and compiling the data and producing the\nUI Weekly Claims Press Release. DRR completes its summarization of the data approximately 40\nhours before the official release time. The day before the UI Weekly Claims Press Release is released,\nDRR produces a package which contains the UI Weekly Claims Press Release and supporting\ndocuments and distributes it to four high-level DOL officials for their review and information.\nApproximately 2 hours before the release, copies of the UI Weekly Claims Press Release are delivered\nby the print shop to the DOL Office of Information and Public Affairs (OIPA). OIPA is responsible for\nissuing the UI Weekly Claims Press Release at the prescribed time in the DOL press room.\n\nTwo computer systems are used in the UI Weekly Claims Press Release process. The data are\ncollected and compiled on an OWS National Office computer operated by the Division of Data\nSystems Support (DDSS). The UI Weekly Claims Press Release and supporting documents are\nstored on an ETA local area network (LAN) server administered by the Office of Technology and\nInformation Services (OTIS).\n\nAudit Results\n\nThe Office of Inspector General (OIG) performed a limited scope audit to assess (1) the internal\ncontrols used to ensure the accuracy and completeness of the data used to produce the\nUI Weekly Claims Press Release, and (2) the internal controls over issuing the UI Weekly Claims\nPress Release and safeguarding the embargoed information against unauthorized use or early release to\nthe public (prerelease). Our audit covered all aspects of the UI Weekly Claims Press Release process,\nfrom the compiling of the data by DRR to the release of the UI Weekly Claims Press Release by\nOIPA.\n\n\nU.S. Department of Labor - Office of Inspector General                                             Page 1\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nWe found that controls were adequate to ensure the accuracy and completeness of the information\ncontained in the UI Weekly Claims Press Release. The OWS staff responsible for preparing the UI\nWeekly Claims Press Release followed prescribed procedures and recognized the importance of\nprotecting the embargoed information. However, we found several significant control weaknesses that\nmust be corrected to adequately safeguard the information against unauthorized use or prerelease to the\npublic.\n\nThere are internal control weaknesses in three principal areas: (1) Procedures used by OWS to\nprocess the data and produce UI Weekly Claims Press Release; (2) LAN server security; and (3)\nOIPA\xe2\x80\x99s press release procedures.\n\nData Processing and Report Production\n\n       \xe2\x80\xa2   The embargoed data and UI Weekly Claims Press Release are processed and produced in\n           an unsecured office environment.\n\n       \xe2\x80\xa2   There are security vulnerabilities in the procedures used to deliver advance copies of the UI\n           Weekly Claims Press Release package to the four high-level DOL officials the day before\n           the UI Weekly Claims Press Release is officially released.\n\n       \xe2\x80\xa2   A library management system is not used to track multiple versions of software production\n           programs used to compile the data.\n\n       \xe2\x80\xa2   There is no security clearance policy for individuals with access to embargoed data.\n\n       \xe2\x80\xa2   Situations can occur where one person controls the entire UI Weekly Claims Press Release\n           process.\n\n       \xe2\x80\xa2   There are no formal procedures for responding to security incidents.\n\nLAN Server Security\n\nThe ETA LAN server has several weaknesses that compromise the security level needed for\nembargoed documents.\n\n       \xe2\x80\xa2   An excessive number of network administrators have access to the server containing the\n           embargoed documents.\n\n\nU.S. Department of Labor - Office of Inspector General                                            Page 2\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n       \xe2\x80\xa2   The embargoed documents are not encrypted while stored on the server.\n\n       \xe2\x80\xa2   Periodic security evaluations using a security software package are not performed.\n\nOIPA Press Release Procedures\n\nHard copies of the UI Weekly Claims Press Release are not secure for a short period of time before\nthe scheduled release to the press corps and there is no assurance that the press corps\xe2\x80\x99 computer\nmodems are disconnected until the release time. A separate report, with recommendations for\ncorrective actions, will be provided to OIPA.\n\nRecommendations\n\nFollowing are the recommendations for the Assistant Secretary for Employment and Training to\ncorrect the internal control weaknesses found in OWS:\n\n       \xe2\x80\xa2   Create a restricted access office area for processing the embargoed data and producing the\n           UI Weekly Claims Press Release. The restricted access office area should be isolated from\n           the general office work area and should include a printer and safe.\n\n       \xe2\x80\xa2   Strengthen the procedures used to deliver the advance copies of the UI Weekly Claims\n           Press Release package by requiring:\n\n           S a \xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d (DL 1-350) be used for the packages containing\n             embargoed data,\n\n           S delivery be made only when the authorized DOL official is present, and\n\n           S a signed receipt be obtained from the person receiving the package and the receipt be\n             maintained on file by DRR.\n\n       \xe2\x80\xa2   Implement a library management system to ensure that the latest versions of structured\n           query language (SQL) programs are being used to produce the UI Weekly Claims Press\n           Release, and store the SQL programs in a single directory with access limited to DRR staff\n           responsible for processing the data.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                          Page 3\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n        \xe2\x80\xa2   Develop and implement a security clearance policy for individuals with access to\n            embargoed data. The policy should ensure that:\n\n            S the sensitivity levels for all individuals, including contract staff, with access to embargoed\n              data are classified as high risk,\n\n            S the appropriate security clearances are obtained for these individuals, and\n\n            S the sensitivity of position classifications and security clearances are continually\n              monitored.\n\n        \xe2\x80\xa2   Ensure that the DRR Reporting Team Leader and staff assistant responsibilities are always\n            performed by different individuals.\n\n        \xe2\x80\xa2   Develop and implement formal incident response procedures that ensure the proper officials\n            are notified, appropriate action is taken to secure the data, and the incident is investigated\n            to identify internal control weaknesses.\n\n        \xe2\x80\xa2   Discontinue using the ETA LAN to store the embargoed UI Weekly Claims Press Release\n            and supporting documents before the official release time. Instead, use a stand-alone\n            computer located in a secure area, and ensure that:\n\n            S procedures are developed and implemented to back up the files on a regular basis,\n\n            S adequate access controls are used, and\n\n            S all files containing embargoed information are encrypted.\n\nAgency\xe2\x80\x99s Response\n\nIn the response to our draft report, the Assistant Secretary for Employment and Training stated that,\nwhile ETA did not view the findings as significant control weaknesses, they are important concerns and\nwill be addressed as far as possible to implement the needed changes. ETA agreed that it would be\ndesirable to create a restricted office area but at the current time there are severe limitations on space\navailability. The space where the embargoed data and the UI Weekly Claims Press Release are\nprocessed and produced is scheduled to be reconfigured in 2002. The current space plans will be\nreviewed to see if they can be altered at least to allow the unit to be located in an area that does not\nhave major traffic. Additionally, ETA is looking into the technical feasibility of establishing a stand-\nalone system to store the embargoed UI Weekly Claims documents before release time. Concerning\n\nU.S. Department of Labor - Office of Inspector General                                               Page 4\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nsecurity clearances, ETA stated that the Federal staff currently working on the UI Weekly Claims Press\nRelease Process have been doing so for a long time. Therefore, ETA does not believe that a security\nclearance investigation is warranted for them. However, ETA will implement a policy to require a\nbackground investigation for any new employee who has access to the embargoed data. Concerning\nthe process used to deliver UI Weekly Claims Press Release package, ETA stated that receiving DOL\nofficials will be contacted before the package is delivered and this will negate the necessity for the\n\xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d (DL 1-350) and a signed receipt from the recipient. ETA agreed to\nimplement the remaining report recommendations. ETA\xe2\x80\x99s entire response is included at the end of this\nreport.\n\nAuditor\xe2\x80\x99s Conclusion\n\nWe disagree with ETA\xe2\x80\x99s conclusion that the findings in the report are not significant control\nweaknesses. Because the UI Weekly Claims Press Release contains embargoed data, it is critical that\nthe data be protected until it is released at the prescribed time. ETA must recognize that in managing\nsecurity of sensitive information, the risks associated with the UI Weekly Claims Press Release process\nshould be identified and reduced. Unauthorized use and disclosure of the embargoed data and the UI\nWeekly Claims Press Release can effect the financial markets and damage DOL\xe2\x80\x99s reputation for\nmanaging sensitive information. Therefore, it is necessary that ETA take appropriate measures to\nprotect the embargoed data and press release and minimize the risk against unauthorized use and\ndisclosure. By failing to recognize the significance of the report findings and the need for timely\ncorrective action, ETA is accepting more risk than is necessary under the circumstances. We believe\nthat ETA must take immediate corrective action, as recommended in this report, to improve the security\nover the UI Weekly Claims Press Release process.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                         Page 5\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n                   BACKGROUND, OBJECTIVES, AND SCOPE\n\nBackground\n\nThe UI Weekly Claims Press Release is issued by DOL to the press every Thursday morning at 8:30\na.m. The UI Weekly Claims Press Release contains the National total of initial claims for UI and is one\nof the leading economic indicators that may affect the financial and monetary markets. Thus, the data in\nthe press release are sensitive and embargoed from the time it is first compiled on Tuesday afternoon\nuntil the official release time on Thursday morning. As a result, there is a need to protect the data and\nthe UI Weekly Claims Press Release from unauthorized use or prerelease while it is in embargoed\nstatus. Users of the UI Weekly Claims Press Release include the Federal Reserve, the Council of\nEconomic Advisors, Congress, business organizations, brokerage houses, investment bankers, and the\nmedia.\n\nThe source of the sensitive data in the UI Weekly Claims Press Release is the initial claims data\nreported by the states to ETA. An initial claim is a claim for UI filed by an unemployed individual after\nseparation from an employer. Within ETA, the OWS DRR is responsible for collecting and compiling\nthe initial claims data and producing the UI Weekly Claims Press Release. The states report the initial\nclaims data on the ETA 538, \xe2\x80\x9cAdvance Weekly Initial and Continued Claims Report.\xe2\x80\x9d The majority of\nthe ETA 538 data is reported via an electronic entry and transmittal system which is housed on state-\noperated OWS SUN computers. Each of the state computers is polled nightly by the OWS National\nOffice computer to pick up the data submitted the previous day.\n\nDRR completes its summarization of the initial claims data approximately 40 hours before the official\nrelease time. Once the data are summarized, DRR produces a package which consists of the UI\nWeekly Claims Press Release and supporting documents. The day before official release time, the UI\nWeekly Claims Press Release package is distributed to the Deputy Assistant Secretary for Employment\nand Training, the Director of OWS, the DOL Chief Economist, and the ETA Office of Public Affairs\nfor their review and information. Copies of the UI Weekly Claims Press Release are delivered by the\nprint shop to OIPA 2 hours before the release. OIPA is responsible for issuing the UI Weekly Claims\nPress Release every Thursday morning in the DOL press room.\n\nTwo computer systems are used in the UI Weekly Claims Press Release process. The initial claims\ndata are collected and compiled on an OWS National Office computer operated by DDSS. The UI\nWeekly Claims Press Release and supporting documents are stored on an ETA LAN server\nadministered by OTIS.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                            Page 6\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nObjectives\n\nThe audit objectives were to assess\n\n        \xe2\x80\xa2    the internal controls used to ensure the accuracy and completeness of the data used to\n             produce the UI Weekly Claims Press Release, and\n\n        \xe2\x80\xa2    the internal controls over issuing the UI Weekly Claims Press Release and safeguarding the\n             embargoed information against unauthorized use or prerelease.\n\nScope\n\nOur audit scope was limited to the processing of data that occurs at the OWS National Office to\nproduce the UI Weekly Claims Press Release. The audit focused on the internal controls OWS has\nimplemented over the process of producing and releasing the UI Weekly Claims Press Release. To\naccomplish our audit, we gained an understanding of the process and procedures used to produce the\nUI Weekly Claims Press Release. We interviewed key staff persons in OWS, DRR, DDSS, OTIS,\nand OPA and examined the UI Weekly Claims Procedures Manual. We also observed the actual data\ngathering and data entry procedures. Our audit did not include testing of computer controls. For the\nOWS Data System, we relied on the results of the computer testing procedures that were performed\nby OIG\xe2\x80\x99s Office of Financial Management Audits (OFMA) as part of the DOL\xe2\x80\x99s Fiscal Year 1999\nFinancial Statements audit. OFMA\xe2\x80\x99s computer controls testing followed the General Accounting\nOffice (GAO) Federal Information System Controls Audit Manual (FISCAM) General Control\nprocedures. For the ETA LAN, administered by OTIS, we interviewed staff to gain an understanding\nof automated controls over the server used to store the UI Weekly Claims Press Release and\nsupporting documents.\n\nThe audit was performed in Washington, D.C. from March 2000 through April 2000 in accordance\nwith generally accepted government auditing standards.\n\nWe used the following criteria in our audit:\n\n        \xe2\x80\xa2    National Institute of Standards and Technology\xe2\x80\x99s (NIST), An Introduction to Computer\n             Security: The NIST Handbook, and the NIST, Guide for Developing Security Plans for\n             Information Technology Systems.\n\n        \xe2\x80\xa2    GAO\xe2\x80\x99s FISCAM and Standards for Internal Control in the Federal Government.\n\n        \xe2\x80\xa2    Department of Labor Manual Series (DLMS) 2, Chapter 300, Security Regulations.\n\nU.S. Department of Labor - Office of Inspector General                                           Page 7\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n                      FINDINGS AND RECOMMENDATIONS\n\n 1. The Embargoed Data and the UI Weekly Claims Press\n    Release Are Processed and Produced in an Unsecured\n    Office Environment\n\n\nThe embargoed data and the UI Weekly Claims Press Release are processed and produced in an\nunsecured open office environment. While we concluded that the personnel responsible for producing\nand reviewing the UI Weekly Claims Press Release are security-conscious, the level of security needed\nfor such a sensitive press release is difficult to achieve in an open office environment. We found that\ncomputer screens were visible from aisles and adjoining cubicles. Charts and reports containing\nembargoed UI data were printed at a shared printer. We observed a maintenance person at the\nentrance of a cubicle while embargoed data was displayed on the computer screen. On two occasions\nwe observed computer screens, displaying embargoed UI data, left unattended for brief periods of\ntime. Also, copies of the embargoed UI Weekly Claims Press Release were placed in an unlocked\ncubicle cabinet. The cubicle was located near an open doorway that leads to a main corridor in the\nDOL building. Printouts containing embargoed data were stored in a safe located in an open work\narea.\n\nPhysical controls and safeguards are necessary to restrict access to embargoed and sensitive material.\nDLMS 2, Chapter 300, Section 352(a) states: \xe2\x80\x9cEmployees using classified information or responsible\nfor its custody will take every precaution to prevent deliberate or casual inspection by unauthorized\npersons.\xe2\x80\x9d Section 353 prescribes security storage standards for confidential information which require\nthe same storage practices as top-secret information.\n\nThe GAO FISCAM, Section AC-3.1 on access controls, considers that physical security controls over\ncomputer resources include computer terminals. Section AC-3.1 provides that unrestricted access be\nlimited to personnel with a legitimate need to perform their duties. Access to sensitive areas by\nmaintenance personnel should be restricted and controlled.\n\nBecause the UI Weekly Claims Press Release may affect the movement of financial markets, strict\nsecurity measures are required to protect the embargoed data and press release prior to their official\nrelease. Processing the embargoed data and preparing the press release in an open office environment\nincrease the risk of unauthorized access and prerelease.\n\nRecommendation\n\nWe recommend that the Assistant Secretary for Employment and Training direct OWS to create a\n\n\nU.S. Department of Labor - Office of Inspector General                                          Page 8\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nrestricted access office area for processing the embargoed UI data and producing the UI Weekly\nClaims Press Release. The restricted area should be isolated from the general office work area and\nshould include a printer and safe.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                         Page 9\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nAgency\xe2\x80\x99s Response\n\nETA agreed that it would be desirable to create a restricted office area but, at the current time, space\navailability is severely limited. The space where the embargoed data and the UI Weekly Claims Press\nRelease are processed and produced is scheduled to be reconfigured in 2002. The current space plans\nwill be reviewed to see if they can be altered to at least allow for the unit to be located in an area that\ndoes not have major traffic. ETA stated that area will be made as isolated \xe2\x80\x9cas possible in a cubicle\nsetting\xe2\x80\x9d and the safe and a printer will be located in this area.\n\nAuditor\xe2\x80\x99s Conclusion\n\nWe disagree with ETA\xe2\x80\x99s proposed corrective action plan and the time frame to achieve it. We believe\nthat prompt action should be taken to ensure that the embargoed data and UI Weekly Claims Press\nRelease is processed in a secured restricted office environment. This cannot possibly be achieved in a\ncubicle setting. ETA\xe2\x80\x99s response demonstrates that management is accepting an unnecessarily high level\nof risk over the next 2 years in its approach to safeguard the embargoed data and UI Weekly Claims\nPress Release. ETA should establish office space for this function that is physically restricted from the\ngeneral work area and limits access to only authorized individuals.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                            Page 10\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n 2. There Are Security Vulnerabilities in the Procedures\n    for Delivering the UI Weekly Claims Press Release\n    Package to DOL Officials the Day Before the Official\n    Release Time\n\n\nThere are security vulnerabilities in the procedures used to deliver the UI Weekly Claims Press Release\npackage to designated DOL officials the day before the UI Weekly Claims Press Release is officially\nreleased. These vulnerabilities could compromise the security of the embargoed data and the UI\nWeekly Claims Press Release before the scheduled release time. We found that the required\n\xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d (DL 1-350) is not used when the\nUI Weekly Claims Press Release package is delivered to the designated DOL officials. Additionally,\nthe designated DOL officials are not required to be present when the UI Weekly Claims Press Release\npackage is delivered to their offices, and signed receipts of delivery are not required from the persons\nreceiving the package.\n\nOn Wednesday morning, approximately 24 hours before the official release time, the\nUI Weekly Claims Press Release package is hand-delivered to four designated DOL officials for their\nreview and information. The UI Weekly Claims Press Release package contains copies of the\nembargoed UI Weekly Claims Press Release and supporting documents (graphs and a summary\nsheet). We identified two weaknesses in the procedures for delivering these packages.\n\n    C   The required \xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d (DL 1-350) is not used when delivering the Weekly\n        Claims Press Release packages. Instead, \xe2\x80\x9cConfidential\xe2\x80\x9d is written on the package envelope.\n        DLMS 2, Chapter 300, Section 371(c)(2) requires that the \xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d be\n        used when confidential information is carried within DOL. It is our position that using the\n        \xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d increases the awareness that the package is important and should\n        be handled with the utmost security.\n\n    C   The Weekly Claims Press Release package is normally hand-delivered to the designated DOL\n        officials. However, procedures allow the package to be left on the DOL official\xe2\x80\x99s office chair if\n        he or she is not present. A signed receipt of delivery is not required. DLMS 2, Chapter 300,\n        Section 371(c)(4) provides that a receipt can be used to transmit confidential information if it is\n        deemed necessary by the sender. We believe that using a signed receipt is necessary\n        considering that the release package contains embargoed information. Additionally, security\n        can be increased by implementing a policy that the release package only be delivered when the\n        intended official is present.\n\n\nU.S. Department of Labor - Office of Inspector General                                            Page 11\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nAddressing these vulnerabilities will increase security over the delivery of the UI Weekly Claims\nRelease package to DOL officials.\n\nRecommendations\n\nWe recommend that the Assistant Secretary for Employment and Training direct OWS to strengthen\nUI Weekly Claims Press Release package delivery procedures by requiring:\n\n    \xe2\x80\xa2   a \xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d (DL 1-350) be used for packages containing embargoed data,\n\n    \xe2\x80\xa2   delivery be made only when the authorized DOL official is present, and\n\n    \xe2\x80\xa2   a signed receipt be obtained from the person receiving the package and the receipt be\n        maintained on file by DRR.\n\nAgency\xe2\x80\x99s Response\n\nETA stated that it will implement a procedure in which the authorized DOL officials will be notified in\nadvance that the press release packages are available. The authorized DOL officials will then contact\nDRR staff and inform them when they are available to personally receive the package. Then the\npackage will be hand delivered. This method will ensure that no one other than the recipients will have\nany possibility of gaining access to the press release package. ETA also stated that with this\nprocedure, neither a security cover sheet nor a signed receipt will be necessary.\n\nAuditor\xe2\x80\x99s Conclusion\n\nETA\xe2\x80\x99s response resolves part of the recommendation that delivery be made only when the authorized\nDOL official is present. To close the recommendation, ETA must provide documentation that the\nprocedures were incorporated into the UI Weekly Claims Procedures Manual.\n\nHowever, we disagree with ETA\xe2\x80\x99s response that the proposed procedure eliminates the need for the\n\xe2\x80\x9cConfidential Cover Sheet\xe2\x80\x9d DL 1-350, and a signed receipt. DLMS 2, Chapter 300, section 371(c),\nConfidential Information, specifically requires that \xe2\x80\x9cHand-carried information will be covered from view\nby DL 1-350, Confidential Cover Sheet.\xe2\x80\x9d Moreover, DLMS 2, Chapter 300, Section 371 requires a\nreceipt be obtained for transferring top secret and secret material and it is optional for confidential\nmaterial. Considering that the information in the press release package is sensitive and embargoed, a\nsigned receipt from the authorized official should be obtained and kept on file for subsequent review\nand audit.\n\n\nU.S. Department of Labor - Office of Inspector General                                          Page 12\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n 3. A Library Management System Is Not Used to Track\n    Multiple Versions\n    of Software Production Programs Used to Compile\n the Data\n\n\nThe DRR staff responsible for processing the embargoed UI data for the Weekly Claims Press Release\nhas developed their own structured query language (SQL) programs which are used for production and\nanalysis of the weekly claims figures. New SQL programs are developed or changed as needed. We\nfound that there is no version control or production library to track and store the SQL programs. DRR\nstaff stores different versions of the SQL programs in their individual directories. As a result, there is no\nassurance that the staff is using the most current versions.\n\nAccording to GAO FISCAM, Section CC-3.1 on application software development and change\ncontrol, library management software provides an automated means of inventorying software, ensuring\nthat differing versions are not accidently misidentified. Library management software also provides a\nmeans of maintaining a record of software changes.\n\nAn up-to-date production library will provide assurance that DRR staff uses the latest SQL versions. It\nwill also provide a means of maintaining a record of changes made to SQL programs so that\nunauthorized changes can be detected. Considering the small number of programs used by the DRR\nstaff, this can be accomplished using either an automated or manual library management system.\n\nRecommendations\n\nWe recommend that the Assistant Secretary for Employment and Training require OWS to:\n\n    \xe2\x80\xa2   implement a library management system to ensure that the latest versions of SQL programs are\n        being used to produce the UI Weekly Claims Press Release, and\n\n    \xe2\x80\xa2   store the SQL programs in a single directory with access limited to DRR staff responsible for\n        processing the UI data for the UI Weekly Claims Press Release.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                              Page 13\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nAgency\xe2\x80\x99s Response\n\nETA responded that since the audit, one central directory was established on the computer and it will\nbe used for processing all UI claims data. ETA stated that the older version of the program will only\nbe kept until it is verified that the new version works. After verifying that the new version works, the\nolder version will be deleted from the system to avoid confusion. Thus, it is not necessary to establish a\nformal library management system.\n\nAuditor\xe2\x80\x99s Conclusion\n\nETA\xe2\x80\x99s response resolves the recommendations. The procedures described in the response basically\nestablish a formal library management system. To close the recommendation, ETA should provide\ndocumentation that the procedures were incorporated into the UI Weekly Claims Procedures Manual.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                           Page 14\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n 4. There Is No Security Clearance Policy for Individuals\n    with Access to Embargoed Data\n\n\nThere is no formal policy to ensure that all individuals with access to embargoed UI data and the UI\nWeekly Claims Press Release have the appropriate security clearances. We found that only 1 of 21\nindividuals who had access to the embargoed UI Weekly Press Release and/or related data had\nappropriate security clearances.\n\nThe Federal Personnel Manual FPM, Chapters 731 and 736, contains requirements for various levels\nof background investigations for employees with access to sensitive data. Every employee with access\nto sensitive data is required to undergo either a Special Background Investigation, Background\nInvestigation, Limited Background Investigation, Minimum Background Investigation, or a National\nAgency Check and Inquiries (NACI) depending on the position risk level (sensitivity level).\n\nBecause data in UI Weekly Claims Press Release can affect the movement of the financial markets, we\nbelieve that all individuals who have access to the embargoed data should have a high-risk sensitivity\nlevel and Background Investigation security clearance in order to provide some assurance of employee\nintegrity.\n\nThe following are details of our review of the security clearances performed on individuals who have\naccess to embargoed data. We did not review the individuals\xe2\x80\x99 sensitivity level designations.\n\n    \xe2\x80\xa2   There were six individuals in OWS, DRR with access to the embargoed UI Weekly Press\n        Release and related data. Five of the individuals received the standard NACI security\n        clearance when they were hired, and the sixth individual, the Division Chief, received a\n        Background Investigation security clearance.\n\n    \xe2\x80\xa2   There were six individuals in OWS, DDSS with access to the production server used to store\n        the weekly claims data obtained from the states. This data forms the basis for the UI Weekly\n        Claims Press Release and is considered embargoed. We were told that all six individuals\n        received only the standard NACI security clearance.\n\n    \xe2\x80\xa2   There were nine individuals in ETA\xe2\x80\x99s OTIS with access to the server used to store the Weekly\n        Claims Press Release and supporting documents. Seven of these individuals were contract\n        employees. We were told that none of the nine individuals had background checks.\n\nRecommendations\n\nU.S. Department of Labor - Office of Inspector General                                         Page 15\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nWe recommend that the Assistant Secretary for Employment and Training require that OWS develop\nand implement a security clearance policy for individuals with access to embargoed information in the\nUI Weekly Claims Press Release. The policy should ensure that:\n\n    \xe2\x80\xa2   the sensitivity levels for all individuals, including contract staff, with access to embargoed data\n        are classified as high risk,\n\n    \xe2\x80\xa2   the appropriate security clearances are obtained for these individuals, and\n\n    \xe2\x80\xa2   the sensitivity of position classifications and employee and contractor security clearances are\n        continually monitored.\n\nAgency\xe2\x80\x99s Response\n\nETA responded that most contractor staff in OWS, DDSS do not currently have security clearances,\nhowever, those with access to the embargoed data do sign affidavits. ETA also stated that contractor\nstaff has high turnover rates and that the desired background investigation could cost $2,295 per\nemployee, which increases the cost of the contract. However, ETA stated they will be recompeting the\ncontract within a year and will add a requirement that the contractor provide this clearance for staff who\nhas access to embargoed data.\n\nFor Federal staff, ETA responded that the individuals currently responsible for the UI Weekly Claims\nPress Release have been working on this project for a long time and therefore believe that a clearance\ninvestigation is not warranted for them. However, ETA stated that a policy will be implemented that\nrequires a background investigation for any new employee who will have access to the embargoed\ndata. ETA stated that contractors in OTIS would not require clearances if the Weekly Claims Press\nRelease production is taken off the LAN. (See Finding Number 7.)\n\nAuditor\xe2\x80\x99s Conclusion\n\nWe disagree with ETA\xe2\x80\x99s conclusion that background investigations are not warranted for existing\nFederal staff. There is no basis in sound security management practices for using the employee\xe2\x80\x99s\nlength of service as a determining factor for obtaining security clearances. Decisions on security\nclearances should be based on access to embargoed data. This includes employees who produce the\nweekly claims report or who have access to the embargoed data. All personnel (employees and\ncontractors) with access permission to computer resources in which embargoed data is stored also\nshould have background investigations.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                              Page 16\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n 5. Situations Can Occur Where One Person Controls the\n    Entire UI Weekly Claims Press Release Process\n\n\nThere are situations when the Reporting Team Leader in DRR controls the entire\nUI Weekly Claims Press Release process because of the small number of staff on the DRR Reporting\nTeam. The process includes obtaining and entering weekly claims data from individual states,\nproducing schedules with the National totals, and reviewing the end products.\n\nNormally, the DRR Reporting Team staff assistant is responsible for obtaining and compiling the\nindividual state figures and producing the initial schedules. The Team Leader is responsible for\nreviewing the embargoed data and advance copies of the UI Weekly Claims Press Release and\ndistributing them to authorized officials.\n\nWe were told that there are situations when the staff assistant is on leave and the Team Leader takes\nover all the functions of the Weekly Claims Press Release process. We consider this situation an\ninternal control weakness because there is no separation of duties.\n\nThe GAO Standards for Internal Control in the Federal Government, Control Activities Section,\nconsiders the division of responsibilities among staff an effective method to prevent a single individual\nfrom controlling all aspects of a critical process.\n\nRecommendation\n\nWe recommend that the Assistant Secretary for Employment and Training require that OWS ensure\nthat the Reporting Team Leader and staff assistant responsibilities are always performed by different\nindividuals.\n\nAgency\xe2\x80\x99s Response\n\nETA responded that there are always at least two people involved in the process of collecting,\nchecking, and publishing data and there are four people on the DRR staff who are knowledgeable in the\nprocess. Thus, the DRR Division Chief and a person in another division are available to serve as back\nup to the Reporting Team Leader. It is a rare circumstance when one person collects the data and that\nsame person plus the person who creates the publication check the data. Because it is a rare\ncircumstance, ETA believes it can function well under the current staffing and backup for this task.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                             Page 17\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nAuditor\xe2\x80\x99s Conclusion\n\nETA\xe2\x80\x99s response did not address our recommendation. To resolve the recommendation ETA must\ninclude in the UI Weekly Claims Procedure Manual a procedure that requires the Reporting Team\nLeader and staff assistant responsibilities always be performed by different individuals when key staff\nare not available.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                           Page 18\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n 6. There Are No Formal Procedures for Responding to\n    Security Incidents\n\n\nThere are no formal procedures for responding to security incidents, such as unauthorized use or\nprerelease of embargoed data. DRR told us that there have been very few instances where the security\nof embargoed data has been jeopardized. In the event of an incident, common sense is used to handle\nthe situation. Formal procedures should be developed and implemented to ensure that appropriate\naction is taken to secure the data and correct the cause of the incident.\n\nRecommendation\n\nWe recommend that the Assistant Secretary for Employment and Training require OWS to develop\nand implement formal incident response procedures. The procedures must ensure that the proper\nofficials are notified, appropriate action is taken to secure the data, and the incident is investigated to\nidentify and correct internal control weaknesses.\n\nAgency\xe2\x80\x99s Response\n\nETA\xe2\x80\x99s response stated that as a result of the audit, procedures have been developed and implemented\nfor handling incidents. ETA provided a copy of the procedure that was included in the UI Weekly\nClaims Procedure Manual.\n\nAuditor\xe2\x80\x99s Conclusion\n\nThis recommendation is closed.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                               Page 19\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n 7. The ETA LAN Server Administered by OTIS Does Not Have\n    the Security Needed to Store the Embargoed UI Weekly\n    Claims Press Release and Supporting Documents.\n\n\nThe UI Weekly Claims Press Release document, summary spreadsheets, and supporting charts are\nstored on a server that is part of the ETA LAN which is administered by OTIS. We identified several\nweaknesses that compromise the security level needed for embargoed documents. The following are\ndetails of the weaknesses found.\n\n       a. An excessive number of network administrators have access to the server\n          containing the embargoed documents.\n\n           The GAO FISCAM, Section AC-2.1, provides that broad or special access privileges,\n           such as those associated with operating system software that allow normal controls to be\n           overridden, are only appropriate for a small number of users who perform system\n           maintenance or handle emergency situations.\n\n           Because the ETA LAN serves all agencies within ETA, there are numerous network\n           administrators with access to the server that contains the embargoed UI Weekly Claims\n           Press Release. Although the embargoed UI Weekly Claims Press Release is stored in a\n           directory with the proper access permission controls limited to the individuals responsible\n           for the press release, network administrators also have access to the directory. Within\n           OTIS there are two ETA employees and seven contract employees who have network\n           administrator access to the server.\n\n           We believe that this is an excessive number of individuals with access permission to\n           embargoed data and increases the risk of unauthorized entry into the system, prerelease, or\n           manipulation of embargoed data in the UI Weekly Claims Press Release.\n\n       b. The embargoed documents are not encrypted while stored on the server.\n\n           The NIST, Special Publication 800-18, Section 6.GSS.2, defines logical access controls to\n           include the use of encryption as a means to prevent unauthorized access to sensitive files.\n\n           Encrypting the embargoed UI Weekly Claims Press Release while it is stored on the ETA\n           LAN server would increase assurances against unauthorized access or misuse.\n\n\nU.S. Department of Labor - Office of Inspector General                                          Page 20\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\n        c. Periodic security evaluations using a security software package are not performed.\n\n            The NIST, Special Publication 800-12, Section 9.4.1.1, states that automated tools can be\n            used to help find a variety of threats and vulnerabilities, such as improper access controls or\n            access control configurations, weak passwords, lack of integrity of the system software, or\n            outdated software updates and patches.\n\n            System security requirements are constantly changing with new technologies. Therefore,\n            network security should be periodically assessed using a security scanner or similar\n            software that takes an automated, proactive approach to detecting security deficiencies\n            present in the agency\xe2\x80\x99s computers and networks.\n\nTherefore, we believe that OWS should not store the UI Weekly Claims Press Release and supporting\ndocuments on the ETA LAN because it does not have the internal controls needed to secure\nembargoed data.\n\nRecommendations\n\nWe recommend that the Assistant Secretary for Employment and Training require OWS to discontinue\nusing the ETA LAN to store the embargoed UI Weekly Claims Press Release and supporting\ndocuments. Instead, require OWS to use a stand-alone computer located in a secure area and ensure\nthat\n\n            S   procedures are developed and implemented to backup the files on a regular basis,\n\n            S   adequate access controls are used, and\n\n            S   all files containing embargoed information are encrypted.\n\nAgency\xe2\x80\x99s Response\n\nETA responded that inquiries are being made with OTIS about the technical feasibility of establishing a\nstand-alone system and of still maintaining the needed backups and shared access within the staff versus\nwhat might be required to further isolate the areas of the LAN which are used to increase security. We\nexpect to be able to accomplish this at the time of the office configuration in 2002.\n\n\n\n\nAuditor\xe2\x80\x99s Conclusion\n\nU.S. Department of Labor - Office of Inspector General                                            Page 21\n\x0cLimited Scope Audit of Controls Over the Office of Workforce Security\nUI Weekly Claims Press Release\n\n\n\n\nThe recommendations can be resolved when ETA makes a management decision on the action they\nplan to take.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General                                Page 22\n\x0c'